When I first submit my search form via $_GET it returns results as expected but when using pagination and submitting it again for page X I see that it converts a portion of my URL and fails.
Here is the before and after URL portion that is changing:
// Before
min_score=1&max_score=10¬_scored=1
// After
min_score=1&max_score=10%AC_scored=1
It's encoding 10& How can I prevent this from happening?
The reason is that ¬ gets intepreted by the browser as ¬. Strict mode or any DOCTYPE might help.
And ¬ simply gets substituted as ¬ then. Which in turn becomes %AC in request urls.
Besides urlencode() on the individual values you should additionally apply htmlspecialchars() on the whole URL before you add it into the <a> tag.
always type urls with
&
instead of &...
Related
kindly I have two links,
when using both of the links in another page, the first link is decoded automatically by GET Method and the second didn't.
the problem is that if there is a space in any attribute, the get don't decode automatically the URL and if there are no spaces, the get automatically decoding the URL which is the correct behaviour
tip : the only encoded attribute is BodyStr and encoded via URLENCODE PHP function.
another tip: the difference between both is the space in subjectStR Attribute
I want to know why spaces in URL prevent GET Global Variable from automatically decoding all the attributes
$message=urlencode($message);
http://localhost/test4.php?me=ahmed&y=1&clientid=55&default=1&Subjectstr=**Email From Contactuspage`**&BodyStr=$message
http://localhost/test4.php?me=ahmed&y=
1&clientid=55&default=1&Subjectstr=**EmailFromContactuspage**&BodyStr=$message
Space isn't allowed in URL query strings. If you put an unencoded space in SubjectStr, the URL ends at that point, so the server never sees the BodyStr parameter.
You need to URL-encode SubjectStr. Replace the spaces with + or %20.
$message=urlencode($message);
$url = "http://localhost/test4.php?me=ahmed&y=1&clientid=55&default=1&Subjectstr=Email+From+Contactuspage&BodyStr=$message"
The reason why it stops at space is because of the HTTP protocol. The client sends:
GET <url> HTTP/1.1
This request line is parsed by looking for the space between the URL and the HTTP version token. If there's a space in the URL, that will be treated as the end of the URL.
I have a form I'm trying to submit to a database. Upon successful submission I would like the page to redirect to a page containing the submitted data. I'm doing this with a query string like:
header("location:palette.php?colID=$title");
Which is producing a URL like: palette.php?colID=Funky%20Colours
Is it possible for the PHP header redirect to redirect to a query like:
palette.php?colID=Funky-Colours
To produce a URL like: palette.php?colID=Funky-Colours
If so, can someone provide an example
You can do this by simply doing:
header('Location: palette.php?colID='.urlencode(str_replace(' ','-',$title)));
But in your palette.php, $_GET['colID'] will be receiving Funky-Colours instead of Funky Colours. So you need to use str_replace() again to convert the dashes to spaces.
So, another question would be, what do you intend to do with those column IDs with dashes? For instance, the $title submitted is Something-With-Dashes, your script would turn these dashes into spaces. But to answer your question, yes, it is possible to do this using str_replace().
i am trying to send a value through link and get the value on other file using $_GET but the problem is the value has & in between two words and in url its coming like
list.php?v=Bakery%20&%20Cake%20Design
and when i echo this value in second page it come out to be bakery instead of bakery cake & design . Since i am sending this value from the first page via jquery on click i tried using encodeURI() to remove the %20 from the link but it still does't helps as the part after %20 & is not being printed on second page when i echo the value. my jquery code is
var vendor = $(this).text().replace(/\s/g,"%20"); in this i tried to remove it via replace too . But still no help .
You dont need to remove %20
just check that there should not be any space between the variable and the value!
This will produce %20 :
echo '<td><b><font color="#663300">Deactivate User</font></b></td>';
This will not:
`echo '<td><b><font color="#663300">Deactivate User</font></b></td>';`
Reason : just a whitespace between (php?id ='.$row)
On the JS side you need to use encodeURIComponent() on the item with the ampersand like.
var title = encodeURIComponent('bakery cake & design'); // bakery%20cake%20%26%20design
As opposed to encodeURI which:
Note that encodeURI by itself cannot form proper HTTP GET and POST requests, such as for XMLHTTPRequests, because "&", "+", and "=" are not encoded, which are treated as special characters in GET and POST requests. encodeURIComponent, however, does encode these characters. These behaviors are most likely not consistent across browsers.
Use the URL Decoder function
echo urldecode("A%20B") // will print 'A B'
I am working with an XML feed that has, as one of it's nodes, a URL string similar to the following:
http://aflite.co.uk/track/?aid=13414&mid=32532&dl=http://www.google.com/&aref=chris
I understand that ampersands cause a lot of problems in XML and should be escaped by using & instead of a naked &. I therefore changed the php to read as follows:
<node><?php echo ('http://aflite.co.uk/track/?aid=13414&mid=32532&dl=http://www.google.com/&aref=chris'); ?></node>
However when this generates the XML feed, the string appears with the full &
and so the actual URL does not work. Apologies if this is a very basic misunderstanding but some guidance would be great.
I've also tried using %26 instead of & but still getting the same problem.
If you are inserting something into XML/HTML you should always use the htmlspecialchars function. this will escape your strings into correct XML syntax.
but you are running into a second problem.
your have added a second url to the first one.
this need also escaped into url syntax.
for this you need to use urlencode.
<node><?php echo htmlspecialchars('http://aflite.co.uk/track/?aid=13414&mid=32532&aref=chris&dl='.urlencode('http://www.google.com/')); ?></node>
& is correct for escaping ampersands in an XML document. The example you've given should work.
You state that it doesn't work, but you haven't stated what application you're using, or in what way it doesn't work. What exactly happens when you click the link? Do the & strings end up in the browser's URL field? If that's the case, it sounds like a fault with the software you've viewing the XML with. Have you tried looking at the XML in another application to see if the problem is consistent?
To answer the final part of your question: %26 would definitely not work for you -- this would be what you'd use if your URL parameters needed to contain ampersands. Say for example in aref=chris, if the name chris were to an ampersand (lets say the username was chris&bob), then that ampersand would need to be escaped using %26 so that the URL parser didn't see it as starting a new URL parameter.
Hope that helps.
I am retrieving an encoded url via querystring. I need to pass it again to the next page. When I retrieve it the first time, using $_REQUEST['url'], only the slashes are decoded, e.g:
http://example.com/search~S10?/Xllamas&searchscope=10&SORT=D/Xllamas&searchscope=10&SORT=D&SUBKEY=llamas/51%2C64%2C64%2CB/browse
The php docs page for urldecode advises against decoding request data, and says that it will already be decoded. I need it either completely decoded, so I can encode it again without double-encoding some parts, or not decoded at all.
I'm not sure why my experience of this data is incongruous with the php docs. Appreciate any help or pointers to same!!
EDIT: attempt to post relevant code, which is scattered about:
the url is encoded and added to the querystring (in an html file using smarty template):
<a class="button" href="{$baseurl}search_nojs?searcharg={$searcharg|escape:'url'}&url={$next|escape:'url'}"><span>Next>></span></a>
if that link was followed, i'm grabbing the url back out of the querystring (in a php file):
if(array_key_exists('url', $_REQUEST)) {
$sm->assign("searchurl", $_REQUEST['url']);
}
Then I'd like to stick the url back into the querystring for the next link (in another html file):
href="{$baseurl}detail?bibid={$res.bibid}&searcharg={$searcharg}{if $searchurl}&searchurl={$searchurl}{/if}"
I'm also printing {$searchurl} straight onto the page, and getting the same half-escaped result.
Here is another example of the querystring vs. the data i get from $_REQUEST:
originally encoded url in querystring:
searcharg=mammals&url=http%3A%2F%2Fexample.com%2Fsearch%7ES10%3F%2FXmammals%26searchscope%3D10%26SORT%3DD%2FXmammals%26searchscope%3D10%26SORT%3DD%26SUBKEY%3Dmammals%2F51%252C1114%252C1114%252CB%2Fbrowse
data retrieved from $_REQUEST:
searcharg=mammals&searchurl=http://example.com/search~S10?/Xmammals&searchscope=10&SORT=D/Xmammals&searchscope=10&SORT=D&SUBKEY=mammals/51%2C1114%2C1114%2CB/browse
I know this method may seem curious -- I am trying to make a mobile display, working around a black-box database. Thanks again for any help!!
Here is another example of the querystring vs. the data i get from $_REQUEST:
originally encoded url in querystring:
searcharg=mammals&url=http%3A%2F%2Fexample.com%2Fsearch%7ES10%3F%2FXmammals%26searchscope%3D10%26SORT%3DD%2FXmammals%26searchscope%3D10%26SORT%3DD%26SUBKEY%3Dmammals%2F51%252C1114%252C1114%252CB%2Fbrowse
This is double encoded. For example: %252C -> %2C -> ,
So at the point that you encode the url parameter, you're introducing double encoding. Perhaps you should ensure that, before encoding parameters, you decode them until they can be decoded no more (aka canonicalisation). You could use urldecode in a loop for this.
You also want to ensure that when you put the url parameter back into html context (as a link) that you escape for HTML Attributes too. Otherwise you have an XSS vulnerability.
The comma (U+002C) is a reserved character in the query and thus must be encoded with %2C:
3.4. Query Component
The query component is a string of information to be interpreted by
the resource.
query = *uric
Within a query component, the characters ";", "/", "?", ":", "#",
"&", "=", "+", ",", and "$" are reserved.